The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

An XCCDF Rule

Description

<VulnDiscussion>LDP provides the signaling required for setting up and tearing down pseudowires (virtual circuits used to transport Layer 2 frames) across an MPLS IP core network. Using a targeted LDP session, each PE router advertises a virtual circuit label mapping that is used as part of the label stack imposed on the frames by the ingress PE router during packet forwarding. Authentication provides protection against spoofed TCP segments that can be introduced into the LDP sessions.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-216794r878124_rule
Severity: Medium
References: CCI-001958
Updated: 17 days ago

The severity level can be downgraded to a category 3 if the router is configured to authenticate targeted LDP sessions using MD5 as shown in the example below.

RP/0/0/CPU0:R3(config)#mpls ldp
RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.1.1
RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx
RP/0/0/CPU0:R3(config-ldp)#neighbor 10.1.2.1RP/0/0/CPU0:R3(config-ldp)#neighbor password clear xxxxxxxx
RP/0/0/CPU0:R3(config-ldp)#commit

The Cisco PE router providing MPLS Layer 2 Virtual Private Network (L2VPN) services must be configured to authenticate targeted Label Distribution Protocol (LDP) sessions used to exchange virtual circuit (VC) information using a FIPS-approved message authentication code algorithm.

Description

Remediation - Manual Procedure